New Report on “The Use of Biometric Data to Identify Terrorists: Best Practice or Risky Business?"

The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Professor Fionnuala Ní Aoláin together with Dr. Krisztina Huszti-Orbán, released today a key report on the “Use of Biometric Data to Identify Terrorists: Best Practice or Risky Business?”.

The report explores the human rights risks involved in the deployment of biometrics emphasising that

in the absence of robust rights protections which are institutionally embedded to oversee collection, storage, and use of such evidence, relevant practices are likely to infringe international human rights law standards.

It offers an insight to the deployment of biometrics in the counter-terrorism context and beyond after the adoption of Security Council Resolution 2396, which for the first time imposed a binding obligation on UN member states to

develop and implement systems to collect biometric data, which could include fingerprints, photographs, facial recognition, and other relevant identifying biometric data, in order to responsibly and properly identify terrorists, including foreign terrorist fighters.

Counter-terrorism has even more since been a driver for furthering and expanding surveillance.

While the resolution does note that the introduction of these measures need to be “in compliance with domestic and international law, including human rights law", there is far from enough guidance on how states are to do this, in particular when many lack effective regulations and enforcement mechanisms to protect people, their personal data and their privacy. The report raises the alarm on that.

To that end, the report highlights the absence of human rights discource in existing procedures even within the UN. It underlines the failure of UN institutions to give the granular advice that member states need. For example, the 2018 UN report, produced in association wiht the Biometrics Institute (the Compendium of Recommended Practices for the Responsible Use and Sharing of Biometrics in Counter-Terrorism) “falls short of comprehensively addressing human rights implications and providing granular guidance to Member States”.

PI previously highlighted concerns about the obligations imposed on UN Member States by Resolution 2396 use of biometric data in counter-terrorism which echo the recommendations presented in this report.

A human rights approach, including the protection of the right to privacy but other human rights and freedoms, is key to ensure an effective counter-terrorism strategy. A human rights approach to counter-terrorism involves at least the following:

An adequate national legal framework

Processing of biometric data, including collection, analysis, storing, sharing, must be prescribed by law and limited to that strictly and demonstrably necessary to achieve a legitimate aim. That law must be accessible to the public and sufficiently clear and precise to enable persons to foresee its application and the extent of the intrusion with someone’s privacy.

And yet, in few countries is effective legislation in place, be it in the form comprehensive data protection or other sectorial laws, to regulate the use and sharing of biometric data especially when the processing is done by law enforcement and intelligence agencies who are often extempt from such regulations. Additionally, counter-terrorism legislation is often used to bypass and ignore other obligations.

Necessity and proportionality assessment

Any interference with the right to privacy needs to comply with the principles of necessity and proportionality to ensure that the the least intrusive means to achieve the relevant legitimate aim is adopted.

And yet the fact Resolution 2396 is binding may mean that little significance is given to the need to undertake a necessity and proportionality assessment to decide whether or not to proceed with the processing of biometric data for the purpose of investigating acts of terrorism as it is already imposes it on member states to do so. And yet, it is crucial that they do it too.

Regulation of retention of and access to biometric databases

The new report articulates the need to recognise the risks that may emerge throughout the data lifecyle and noted that lengthy, disproportionate and arbitrary retention policies by default create more instances where the security and integrity of the data could be at risk of being compromised.

This is why the recommendation in the report to ensure human rights compliance of measures involving biometric data to be duly assessed at every stage of data usage is crucial, and data should be disregarded as soon as no longer necessary and proportionate to retain it.

Security protection and framework in case of breaches

Unlike a password, an individual’s biometrics cannot be easily changed. As a result rectification of the unauthorised access to biometric data are either impossible or incurring a significant cost.

Whilst often sidelined and treated as an afterthought, we support the recommendation that states must take necessary and adequate measures to safeguard the security of biometric systems and databases, and for industry to undertake the same.

Adequate AI protections

Artificial Intelligence (AI) applications have found their way into various different contexts, ranging from advertising, to welfare systems and migration control measures. Depending on the sector in which AI is applied the implications may differ considerably, as well as the impact on human rights.

PI has warned against the dangers of automated processing of personal data, including biometric data processed for counter-terrorism purposes. The automatic processing of this information is likely to be carried out by means of Artifical Intelligence driven technologies such as machine learning (which makes inferences, predictions and decisions about individuals), domain-specific AI algorithms, fully autonomous and connected objects and even the futuristic idea of an AI ‘singularity’.

There are on-going concerns about the opacity and secrecy of profiling and the risks of data exploitation as a result of the asymetry in the digital ecosystem where individuals can be identified and tracked across devices and online/offline spaces, often without their knowledge.

The report recommends that State action must be aimed at ensuring and safeguarding transparency and accountability of automated processes as one way of minimising the potentially discriminatory impact of automatically processed biometric data.

Regulation of international sharing of biometric data and access to biometric databases

Data sharing among states is gaining prominence, particularly in light of the need to coordinate counter-terrorism activities across borders. Whilst Resolution 2396 does not oblige UN Member States to share biometric data it encourages it.

Intelligence sharing does not per se violate international human rights law.But unregulated intelligence sharing does pose substantive risks to human rights and to the democratic rule of law because it allows governments to share information in the absence of clear laws and robust independent oversight. And as previously highlighted by Privacy International, most governments around the world engage in such unregulated intelligence sharing.

This is a key aspect of counter-terrorism which requires additional scrutinity as highlighted by the report to be provided for by law and subject to independent oversight in particular to ensure that such data sharing does not result in any form of international cooperation that may facilitate human rights violations or abuses

Independent oversight

Independent oversight mechanisms are central to ensuring that laws are effectively implemented, and rights are protected from arbitrary and unlawful interferences. Such accountability mechanisms provide the structure and space to assess the effective implementation of the law, ensure that those with responsabilities and obligations abide by them, and they also provide a level of scrutinity and transparency which is essential for trust.

The report states that adequate protection of the right to privacy requires that surveillance measures are subject to robust, independent oversight systems as an effective safeguard against arbitrariness, as also consistently highlighted by UN and regional human rights mechanisms, including in respect of surveillance carried out pursuant to anti-terrorism powers

The role of industry must be further scrutinised

Powerful industry, often with closed ties with governments, offer biometrics technology and identification system relying on biometrics data, and they are often far from being transparent about their involvement in such operations and how these are connected to their commercial interests.

UN Guiding Principles on Business and Human Rights (UNGPs) do provide an authoritative global standard for preventing and addressing adverse human rights impacts linked to business activity that should be used as a basis to ensure that biometrics industry and other surveillance companies comply with their human rights obligations.

Industry has obligations to comply with national and international human rights standards, and other instruments which regulate the processing of personal data. Companies involved in public-private partnerships must be subject to robust due diligence framework where they demonstrate compliance with their national and international obligations.

Address the disproportionate impact on marginalised communities

The mandate of the Special Rapporteur highlights that relevant human rights implications are likely to be amplified in case of groups and persons who are already marginalized or discriminated against, such as women, members of ethnic, religious, racial, sexual, and other minorities as well as groups and persons in vulnerable situations, such as refugees and asylum-seekers or persons affected by armed conflict and other types of violence.

We have observed that often counter-terrorism strategies and policies are used to justify measures that erode human rights protections and ultimately put people’s security at risk. They often target the most vulnerable: migrants and refugees - as they cross national borders equipped with facial recognition and other biometric technologies; human rights defenders - as they are targeted by unlawful surveillance deployed in the name of counter-terrorism; and civil society organisations - as their access to international funding is curbed.

PI has made submissions on the discriminatory impacts of digital technologies from biometrics, and facial recognition have on refugees as well as migrants.

What’s next?: Acting on these findings

The report provides a comprehensive mapping of the main human right and ethical issues implicated associated with the use of biometric data in counter-terrorism policies and practices, in particular for the purpose of identification potential suspects of terrorist acts. The report also highlights the emerging threats when more traditional processing activities of such data are combined with new technologies such as artificial intelligence.

We strongly urge the various actors to review their policies and practices, and ensure they are aligned with their national and human rights obligations. The policies developed by political and corporate actors for counter-terrorism purposes must be subject to democratic accountability, public debate or and the involvement or scrutiny from civil society.

We look forward to the various human right monitoring mechanisms as well as decision-making bodies integrating these issues into their mandates and priorities.

To find out more about PI’s work in this domain, sign out to keep up to date and follow our campaign demanding increased scrutinity of the global counter-terrorism agenda.